Passwords Can Be Your Downfall
DevOps and Database expert Yaniv Yehuda talks about the issues with unmanaged passwords.
Join the DZone community and get the full member experience.Join For Free
Continuous processes can increase productivity, speed up time to market, reduce risk, and increase quality, but they need to be built on top of a robust process. The process must be thought out correctly and able to handle the organizational challenges, but at the same time needs to be very efficient, quick, robust and accurately repeatable. For this reason, enterprises use a number of in-house/custom applications to automate their processes. This is true of the database as well, where solutions like DBmaestro bring DevOps to the database.
While these tools provide a serious competitive edge, they also bring the risk of downtime or a security breach. Unmanaged passwords used by in-house/custom applications are typically locally stored in configuration files or are embedded into upgraded SQL scripts in clear text. These credentials can be easily captured and exploited by malicious users or external attackers. In addition, any manual change to these credentials requires downtime or a maintenance window while the credentials are updated across environments.
A single oversight during a manual application password change may lock an Oracle account, causing all other applications and/or application instances to stop operating. Furthermore, as these credentials are NOT centrally managed, it is difficult to track who or what has access to them and whether there may be a potential misuse of credentials by a malicious user or external attacker.
To achieve secure DevOps for databases, privileged application credentials should be removed from in-house/custom applications, DevOps solutions, and upgrade SQL scripts. Credentials should be centrally stored, managed, and automatically rotated, based on predetermined security policies – or on-demand, without downtime or a maintenance window. Any DevOps, release automation, continuous delivery, or continuous integration solutions that execute SQL scripts across environments, should retrieve the credentials from a secured digital vault.
This is why we recently integrated DBmaestro TeamWork with CyberArk Application Identity Manager. Organizations can now automatically retrieve and rotate application credentials securely stored in the CyberArk Secure Digital Vault. Passwords can be rotated based on the organization’s security policy for both in-house/custom applications, and the DBmaestro TeamWork Oracle solution.
In addition, the joint solution combines individual accountability with detailed tracking and reporting on all application privileged account activity, enabling organizations to meet diverse sets of compliance requirements.
To stay competitive, organizations must implement DevOps for their database, but at the same time, it is prudent to reduce any and all risks.
Published at DZone with permission of Yaniv Yehuda, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.